netbsd-bugs: kern/5026: vrele: ref cnt -1

Subject: kern/5026: vrele: ref cnt -1
To: None <gnats-bugs@gnats.netbsd.org>
From: None <greg@johnny.cs.unlv.edu>
List: netbsd-bugs
Date: 02/20/1998 13:11:22
>Number:         5026
>Category:       kern
>Synopsis:       vrele: ref cnt -1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 20 13:20:00 1998
>Last-Modified:
>Originator:     Greg Wohletz
>Organization:
UNLV
>Release:        1.3
>Environment:
Pentium 120, NetBSD/i386 1.3
System: NetBSD johnny.cs.unlv.edu 1.3 NetBSD 1.3 (UNLVfs) #4: Wed Feb 11 10:54:22 PST 1998 greg@bb.cs.unlv.edu:/sd0/src1/OS/NetBSD/NetBSD-1.3/src/sys/arch/i386/compile/UNLVfs i386


>Description:
	Kernel occasionally panics with ``vrele: ref cnt'' the refcount of
	the vnode being released somehow gets set to -1.  If the DIAGNOSTIC
	check is turned off the system will then panic whenever this vnode
	is reclaimed from the free list.

	The following is a ``bt'' of the corefile:

 #0  0xf079df80 in ?? ()
 #1  0x1686000 in ?? ()
 #2  0xf01b5b8b in cpu_reboot (howto=260, bootstr=0x0)
     at ../../../../arch/i386/i386/machdep.c:1177
 #3  0xf012226a in panic (fmt=0xf0137450 "vrele: ref cnt")
     at ../../../../kern/subr_prf.c:150
 #4  0xf01374a6 in vrele (vp=0xf079a080) at ../../../../kern/vfs_subr.c:869
 #5  0xf0137427 in vput (vp=0xf079a080) at ../../../../kern/vfs_subr.c:847
 #6  0xf01a2d6b in qsync (mp=0xf07a5400) at
 ../../../../ufs/ufs/ufs_quota.c:654
 #7  0xf019890c in ffs_sync (mp=0xf07a5400, waitfor=2, cred=0xf0730900, 
     p=0xf01fc088) at ../../../../ufs/ffs/ffs_vfsops.c:761
 #8  0xf0139079 in sys_sync (p=0xf01fc088, v=0x0, retval=0x0)
     at ../../../../kern/vfs_syscalls.c:492
 #9  0xf01384c4 in vfs_shutdown () at ../../../../kern/vfs_subr.c:1770
 #10 0xf01b5b63 in cpu_reboot (howto=256, bootstr=0x0)
     at ../../../../arch/i386/i386/machdep.c:1164
 #11 0xf012226a in panic (fmt=0xf0137450 "vrele: ref cnt")
     at ../../../../kern/subr_prf.c:150
 #12 0xf01374a6 in vrele (vp=0xf079a080) at ../../../../kern/vfs_subr.c:869
 #13 0xf0171b9c in nfsrv_rename (nfsd=0xf07a1800, slp=0xf072f500, 
     procp=0xf07a5600, mrq=0xf318ae0c) at ../../../../nfs/nfs_serv.c:1931
 #14 0xf0182a12 in nfssvc_nfsd (nsd=0xf318ae50, 
     argp=0x329c <Address 0x329c out of bounds>, p=0xf07a5600)
     at ../../../../nfs/nfs_syscalls.c:626
 #15 0xf018225e in sys_nfssvc (p=0xf07a5600, v=0xf318af88, retval=0xf318af80)
     at ../../../../nfs/nfs_syscalls.c:352
 #16 0xf01b9a04 in syscall (frame={tf_es = 31, tf_ds = 31, tf_edi = -272638092, 
      tf_esi = 16, tf_ebp = -272638164, tf_ebx = 0, tf_edx = -272637968, 
      tf_ecx = -272638472, tf_eax = 155, tf_trapno = 3, tf_err = 2, 
      tf_eip = 1073990691, tf_cs = 23, tf_eflags = 646, tf_esp = -272638332, 
      tf_ss = 31, tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0, 
      tf_vm86_gs = 0}) at ../../../../arch/i386/i386/trap.c:658

   
    The kernel (with debugging symbols) and the core file can be retreived
    by interested parties at:

	http://www.unlv.edu/~greg/netbsd.gdb
	http://www.unlv.edu/~greg/netbsd.1.core

>How-To-Repeat:
	On a busy fileserver this happens about twice a month, but has in
	the past happened twice in the same day.
>Fix:
	Unknown.
>Audit-Trail:
>Unformatted: